but still no go, it just keeps failing. Anyone have any working code or insight what I need to change to make it fly?

First year I ran the code, I ran it as domain admin. But last year I could swear it worked fine as account operator.This year, no matter what I do, I keep ending with error 9 on setinfo line. I do not get it. After fighting with it for days, I would welcome any help I can get to get it working again. Today after clicking manually on few hundred accounts to untick that option, I can tell you my wrist hurts.

It might be that you have more Aces then the 2 you are specifying (previous admins who don't know what they're doing etc.)If so, keep in mind that you have to reorder the Aces before you put the DACL back.Deny aces go first, then just LIFO (Last in first out).

Note To use the code documented in this example, you will need to be an Administrator. If you are not an Administrator, then you will need to add more code that will use an interface that will allow a user to change the way the client-side cache is flushed back to the Active Directory Domain Service.

and I just wonder, does that mean I have to be an administrator on the local computer or in domain? if on local computer, I do have UAC enabled, so that could be it.

ok, that code is completely different as it requires adding a new ACE and supposedly that is not needed. and it shouldn't since all these accounts already have an ACE. I just get an error when I try to modify them.

Many attributes in Active Directory have a data type (syntax) called Integer8. These 64-bit numbers (8 bytes) often represent time in 100-nanosecond intervals. If the Integer8 attribute is a date, the value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. Any leap seconds are ignored.

In .NET Framework (and PowerShell) these 100-nanosecond intervals are called ticks, equal to one ten-millionth of a second. There are 10,000 ticks per millisecond. In addition, .NET Framework and PowerShell DateTime values represent dates as the number of ticks since 12:00 AM January 1, 0001.

ADSI automatically employs the IADsLargeInteger interface to deal with these 64-bit numbers. This interface has two property methods, HighPart and LowPart, which break the number up into two 32-bit numbers. The HighPart and LowPart property methods return values between -2^31 and 2^31 - 1. The standard method of handling these attributes is demonstrated by this VBScript program to retrieve the domain lockoutDuration value in minutes.